Scribd
Upload
72 views31 pages

CERT Analysis Center:: Research Into Predictive Cyber Analysis

The document discusses research into predictive cyber analysis including threats, recent cyber events, emerging trends, and analysis efforts. It outlines various technical analysis projects including routing anomalies, netflow data collection, and detecting stealth scans. Fusion analysis efforts have linked state-sponsored hackers to cyber attacks and identified network indicators suggesting malicious probes from China.

Uploaded by

dfrr2000
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
72 views31 pages

CERT Analysis Center:: Research Into Predictive Cyber Analysis

The document discusses research into predictive cyber analysis including threats, recent cyber events, emerging trends, and analysis efforts. It outlines various technical analysis projects including routing anomalies, netflow data collection, and detecting stealth scans. Fusion analysis efforts have linked state-sponsored hackers to cyber attacks and identified network indicators suggesting malicious probes from China.

Uploaded by

dfrr2000
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

CERT Analysis Center:

Research into Predictive Cyber Analysis


Casey J. Dunlevy
Team Lead

CERT Centers, Software Engineering Institute


Carnegie Mellon University
Pittsburgh, PA 15213-3890

SEI is sponsored by the U.S. Department of Defense


2001 by Carnegie Mellon University

Intelligence - page 1
Why Analysis Research?
Bad Guys!

Threats growing

Vulnerabilities Increasing

Internet now part of the social fabric


- Impact of major cyber-attack would be significant
- Cascading effects a major concern

Reactive response must give way to Proactive


preparation

2000 by Carnegie Mellon University Intelligence - page 2


2000 by Carnegie Mellon University Intelligence - page 3
Threats
National Security
- Critical National Infrastructure
- Cyber-Warfare

Computer Crime
- Organized Crime
- Identity Theft
- Extortion

Non-State Actors
- Terrorists
- Political Activists

2000 by Carnegie Mellon University Intelligence - page 4


Recent Events
Release of malicious code from China - Each release
concurrent with political event

CodeRed In all its forms

CSI/FBI Survey: 90+% experience unauthorized use, 44%


did not report

G8 Finance Ministers estimate computer crime costing


$80 Billion per year

All point to a pervasive fundamental misunderstanding


of the Internet environment

2000 by Carnegie Mellon University Intelligence - page 5


Analytic Approaches
The systematic and broad-scale accumulation of
understanding for current and prospective behaviors on
the Internet.
Technical, Political, Economic, and Social triggers
Attacks and defenses
Vulnerabilities and corrections
Victims and perpetrators

Coupled with:
The systematic and broad-scale examination of Internet
activity to assess, predict and understand current and
prospective political, economic, societal, and
technological impacts (PEST).

2000 by Carnegie Mellon University Intelligence - page 7


Attack Sophistication vs.
Intruder Technical Knowledge
new class of cross site tools

stealth / advanced
Tools
High scanning techniques

packet spoofing denial of service


sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
1980 1985 1990 1995 2000
2000 by Carnegie Mellon University Intelligence - page 8
New Threat Paradigm
Traditional Threat Definition:

- Threat = Capability + Intent

New Threat Definition:

- Threat = Capability + Intent + Knowledge


Capability includes tools and ability to access
Intent is the motivation
Knowledge is specific, sophisticated ability to
operate within a system/network after gaining
access

New Threat Paradigm most applicable to high level


threats
2000 by Carnegie Mellon University Intelligence - page 9
Incident Figures
CERT/CC Incidents Reported

- 1988-2000: 47,711
- 1999: 9,859
- 2000: 21,756
- Q1-Q3: 34,754

Vulnerabilities Discovered

- 1995-2000: 2,596
- 1999: 417
- 2000: 1,090
- Q1-Q3: 1,820

2000 by Carnegie Mellon University Intelligence - page 10


Emerging and Future Trends
Computer Network Operations being incorporated into
national military Strategies and Doctrines

Overlapping of Traditional Crime with Cyber-Crime

Use of Nuisance Tools for Overtly Criminal Purposes

Increasing Opportunities for Cyber-Extortion

DDoS Provides National CNO, Organized Crime and Terrorist


Groups a Weapon of Last Resort

Growing Use of Encryption

Exploitation of Jurisdictional Asymmetries

2000 by Carnegie Mellon University Intelligence - page 11


Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 12


Low-Packet Filtering
TCP is a session-based protocol
Used for remote access, file transfers
Its hard to use TCP without generating a lot of packets
Negotiation, transmission, configuration, error
checking
Few legitimate low-packet sessions possible
Mostly web access

2000 by Carnegie Mellon University Intelligence - page 13


One Effort Looking Inside the
Noise
Network Activity Example

Overall Activity
Approx 2.5 Gbytes/day

Noise - Below the Radar

2000 by Carnegie Mellon University Intelligence - page 14


Low-Packet Traffic

2000 by Carnegie Mellon University Intelligence - page 15


Initial Results
Spikes usually mean a scan in progress
The peaks amount to <1% of the total byte traffic at any
time
400 Kb vs. 1.4 Gb
Fair results using a top 10 list approach
Identify and investigate 10 busiest low-packet sites per
hour

2000 by Carnegie Mellon University Intelligence - page 16


Future Work
Tighter Metrics
How many unique sessions before its a scan?
Synchronize with tcpdump data
Most single-packet scans exploit tcp flags

2000 by Carnegie Mellon University Intelligence - page 17


Projects - I
1. Routing Anomalies and Backdoors
Find and fix poor router configurations. Identify and
monitor/eliminate backdoors.
2. NetFlow/Collector Architecture
Better data for security analysis, engineering.
3. Detecting Stealth Scans
Identify all scans broad, deep, and stealthy

2000 by Carnegie Mellon University Intelligence - page 18


Projects - II
4. Empirical Baseline
Traffic-based definition of normality -> anomaly
detection
5. Topology Mapping and Maintenance
Create and maintain map of Network -> anomaly
detection
6. DNS Database
Rapid identification of domain names and locations
with history.
7. Laboratory
Discover signatures and experiment with policies

2000 by Carnegie Mellon University Intelligence - page 19


Projects - III
8. Incident Analysis
Identification of vulnerable or compromised hosts
9. Fusion Analysis for Social Adjacency
Discover social networks of cyber attackers
10.Sensor Hierarchy Architecture
Improved defense in depth
11.Analysis Toolkit
Modular architecture and tools for NSS and Sponsors

2000 by Carnegie Mellon University Intelligence - page 20


Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 21


Fusion Efforts
Small Packet Probes analyzed
- Patterns emerged
- Identified potential threat

Analysis of CERT/CC Incident Data


- Identified possible link between state and hacker
groups
- Hacker communications assessment

Working on profiles, country studies, event analysis

2000 by Carnegie Mellon University Intelligence - page 22


Low-Packet Traffic

2000 by Carnegie Mellon University Intelligence - page 23


Results of Fused Analysis
What was determined?
- Data collected showed definite network indicators
- Methodology can be developed to provide possible
warning indicators
- Based on limited dataset, network indicators
suggest possible malicious probes by China

Network Indicators suggest number of motivations


- Exploitation
- Site mapping
- Intelligence gathering for further activity

2000 by Carnegie Mellon University Intelligence - page 24


Pakistani/Indian Defacements

10/99 1/00 4/00 7/00 10/00 1/01 4/01

Well written Juvenile

No mention of terrorist organizations

Mentions terrorist organizations

2000 by Carnegie Mellon University Intelligence - page 25


Results of Fused Analysis
First indication of a national Intelligence Agency (ISI)
co-opting hacker groups

Malicious effort targeted against another nation-state

Capabilities increasing with experience

Potential use of cyber-weapons in future

2000 by Carnegie Mellon University Intelligence - page 26


Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker Support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 27


Policy and Legal Analysis
Lack of consistent policies

Clarify inter-dependencies between Public and Private


interests

Increase understanding of the global nature of the


Internet

Review proposed and enacted legislation

Analyze statutory conflicts both nationally and


internationally

2000 by Carnegie Mellon University Intelligence - page 28


Problems with Legislation
Lack of laws
- Two U.S. States have no cyberlaw
- Foreign laws vary widely

Ambiguous Laws
- Crime sometimes hard to
define

Lack of Precedent
- Case law limited at best

Conflicting Law
- Illegal in one state Legal in another
- Illegal in one country Legal in another

2000 by Carnegie Mellon University Intelligence - page 29


Problems with Legislation
(continued)
Knowledgeable Legislators?
- Lack of understanding of complexities
- Not technically up-to-date
- Knee Jerk reaction to visible threat

Slow Process
- Keeping up with Technology Trends
- Search Warrants

Authorized v. Unauthorized Access

Intent

2000 by Carnegie Mellon University Intelligence - page 30


Challenges to Analysis Research
Gathering sufficient datasets to make statistically valid
judgements

Developing automated technical analysis tools

Developing a reliable methodology for cyber-analysis

Overcoming organizational bias


against sharing information

Dealing with complex legal issues

Developing analytic professionals

2000 by Carnegie Mellon University Intelligence - page 31


Bottom Line
Time
to deal with the world as it is - Not how
we want it to be! The Monsters are real!

The threat is real, varied, growing, and


distributed

Multi-level, multi-discipline analysis critical


to success

No solutions without working partnerships

2000 by Carnegie Mellon University Intelligence - page 32

You might also like